On Fri, 16 Nov 2018 at 14:19:16 -0800, Josh Triplett wrote:
> On Fri, 16 Nov 2018 10:20:07 +0100 Bastian Blank <wa...@debian.org> wrote:
> > Debian does not support unprivileged user namespaces, so chromium needs
> > to depend on -sandbox to get a working package.
>
> Should we, perhaps, support unprivileged user namespaces? Or, at least,
> a means of granting targeted permission to use such namespaces without
> being full root?
We have this mode available. Sysadmins can select it with:
sysctl -w kernel.unprivileged_userns_clone=1
which leads to the same behaviour as upstream kernels, Fedora, and
recent Ubuntu releases. (Or use /etc/sysctl.d to change this in a
persistent way.)
However, Debian's kernel maintainer has indicated that he doesn't consider
this mechanism to be completely safe (I'm not sure to what extent this is
still true), hence the current default. Setting up a user namespace gives
you all capabilities in the namespace (including CAP_SYS_ADMIN, which is
required if you want to protect part or all of the host system directory
tree from the namespaced process by playing with mount namespaces and
bind-mounts, like Flatpak does), so if you suspect the kernel still has
flaws in which capabilities in non-init user namespaces can be abused
to get privileged access to the overall system, you can't allow it.
The bwrap utility in the bubblewrap package is also setuid root
on Debian systems, and mitigates the risks of user namespaces by
irreversibly dropping privileges with the NO_NEW_PRIVS prctl after
it has done its work (presumably chromium's sandbox does the same). I
wonder whether chromium's sandbox could use bwrap? That way we'd only
need one setuid user-namespace-creating executable; bwrap is already
shared between Flatpak, gnome-desktop3 (for thumbnailers), nautilus
(also for thumbnailers) and opam.
Sysadmins who have set kernel.unprivileged_userns_clone=1 can use
dpkg-statoverride to make bwrap non-setuid, as it is on recent Ubuntu
systems (the same compiled binary can work either way, since it detects
which mode to work in at runtime).
smcv
